Bug 21227

Summary: nginx new security issue CVE-2017-7529
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: drewbinskyn, herman.viaene, lanikane68, marja11, mhrambo3501, seekborrow, sysadmin-bugs, tarazed25, tedriemeltz21, timothysykestss
Version: 6Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory MGA5TOO MGA6-32-OK mga6-64-ok MGA5-64-OK
Source RPM: nginx-1.10.3-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-07-12 02:13:04 CEST 
Upstream has issued an advisory today (July 11):
http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html

The issue is fixed in 1.12.1 and a patch is linked from the message above.

Mageia 5 and 6 are also affected.
David Walser 2017-07-12 02:13:10 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-07-12 23:35:25 CEST 
Reassigning to all packagers collectively, since there is no longer a registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 David Walser 2017-07-14 13:23:49 CEST 
Debian and Ubuntu have issued advisories for this on July 12 and 13:
https://www.debian.org/security/2017/dsa-3908
https://www.ubuntu.com/usn/usn-3352-1/
Comment 3 Mike Rambo 2017-07-26 21:02:21 CEST 
TV updated cauldron to 1.12.1 on the 19th so it is already fixed.


Updated packages uploaded for Mageia 5 and 6.

Advisory:
========================

Updated nginx package fixes security vulnerability:

A security issue was identified in nginx range filter.  A specially
crafted request might result in an integer overflow and incorrect
processing of ranges, potentially resulting in sensitive information
leak (CVE-2017-7529).

References:
http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7529
========================

Updated packages in core/updates_testing:
========================
nginx-1.6.2-5.3.mga5
nginx-debuginfo-1.6.2-5.3.mga5
from nginx-1.6.2-5.3.mga5.src.rpm

nginx-1.10.3-1.1.mga6
nginx-debuginfo-1.10.3-1.1.mga6
from nginx-1.10.3-1.1.mga6.src.rpm


Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=18595#c4

CC: (none) => mrambo
Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Assignee: pkg-bugs => qa-bugs

Comment 4 Herman Viaene 2017-07-28 13:25:24 CEST 
MGA6-32 on Asus A6000VM MATE
no installation issues
Procedure as stated above works OK.

Whiteboard: MGA5TOO => MGA5TOO MGA6-32-OK
CC: (none) => herman.viaene

Comment 5 Len Lawrence 2017-07-28 19:03:38 CEST 
mga5  x86_64

Stopped Apache.
Installed nginx, started it as a service and checked the Welcome page on localhost.  OK.

Updated nginx from Core Updates Testing but could not see the debuginfo package.
<lightbulb!>
Enabled Core Updates Testing Debug and installed nginx-debuginfo.
Restarted nginx (but it was probably already reloaded at installation time).
The Welcome page announced 1.10.3.

CC: (none) => tarazed25

Len Lawrence 2017-07-28 19:04:47 CEST

Whiteboard: MGA5TOO MGA6-32-OK => MGA5TOO MGA6-32-OK MGA5-64-OK

Comment 6 Len Lawrence 2017-07-28 19:11:46 CEST 
Withdrawing the OK.  Had forgotten that this production machine is running mga6.

Whiteboard: MGA5TOO MGA6-32-OK MGA5-64-OK => MGA5TOO MGA6-32-OK

Comment 7 David Walser 2017-07-28 20:16:43 CEST 
Len, debuginfo packages don't need to be installed or tested.  Mike, thanks for the update.  Please don't list debuginfo packages when pushing updates to QA.
Comment 8 Len Lawrence 2017-07-28 20:31:07 CEST 
Thanks David.

x86_64
Stopped apache and installed nginx-1.6.2-5.2.mga5 on a genuine mga5 system.
The welcome page states version 1.10.3.

$ sudo systemctl start nginx
$ systemctl status nginx
● nginx.service - A high performance web server and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled)
   Active: active (running) since Fri 2017-07-28 19:18:18 BST; 4s ago
  Process: 7493 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited,

Refreshed firefox.
Welcome page announced nginx 1.6.2

Installed the update:
$ rpm -qa | grep nginx
nginx-1.6.2-5.3.mga5
Refreshed the browser and checked localhost -> nginx 1.6.2
Len Lawrence 2017-07-28 20:31:25 CEST

Whiteboard: MGA5TOO MGA6-32-OK => MGA5TOO MGA6-32-OK MGA5-64-OK

Comment 9 claire robinson 2017-07-30 14:12:00 CEST 
Testing complete mga6 64

Validating.

Whiteboard: MGA5TOO MGA6-32-OK MGA5-64-OK => MGA5TOO MGA6-32-OK mga6-64-ok MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Rémi Verschelde 2017-07-30 14:18:56 CEST

Whiteboard: MGA5TOO MGA6-32-OK mga6-64-ok MGA5-64-OK => advisory MGA5TOO MGA6-32-OK mga6-64-ok MGA5-64-OK

Comment 10 Mageia Robot 2017-07-30 17:59:42 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0231.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Amira Rimoldi 2020-05-13 10:36:54 CEST

CC: (none) => tedriemeltz21

Comment 12 lani kane 2022-07-20 05:18:07 CEST Comment hidden (spam)

CC: (none) => lanikane68

Comment 13 Terrence Kirk 2023-03-06 23:53:29 CET Comment hidden (spam)

CC: (none) => seekborrow

Comment 14 Timothy Sykes 2023-03-09 19:47:13 CET Comment hidden (spam)

CC: (none) => timothysykestss

Comment 15 Drew Binsky 2023-03-13 03:20:19 CET Comment hidden (spam)

CC: (none) => drewbinskyn